[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: crypto without MD5 (ITS#3039)
This is not an OpenLDAP bug. See the note about OpenSSL and crypt() in the
FAQ.
http://www.openldap.org/faq/index.cgi?file=185
Your version of OpenSSL is out of date, this problem no longer exists in
current versions of OpenSSL.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-bugs@OpenLDAP.org
> [mailto:owner-openldap-bugs@OpenLDAP.org]On Behalf Of
> mys@faveve.uni-stuttgart.de
> Sent: Thursday, March 25, 2004 9:06 AM
> To: openldap-its@OpenLDAP.org
> Subject: crypto without MD5 (ITS#3039)
>
>
> Full_Name: Martin Strauss
> Version: openldap-2.1.25
> OS: linux (debian woody)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (129.69.120.70)
>
>
> Hi,
> Openldap links against libcrypto without checking whether
> the function call crypt is compatible to the version found in
> libcrypt (glibc).
>
> glibc provides an extension for password hashing :
>
> GNU EXTENSION
> The glibc2 version of this function has the following
> additional fea-
> tures. If salt is a character string starting with
> the three charac-
> ters "$1$" followed by at most eight characters, and
> optionally termi-
> nated by "$", then instead of using the DES
> machine, the glibc crypt
> function uses an MD5-based algorithm, and outputs
> up to 34 bytes,
> namely "$1$<string>$", where "<string>" stands for
> the up to 8 charac-
> ters following "$1$" in the salt, followed by 22 bytes
> chosen from the
> set [a-zA-Z0-9./]. The entire key is significant here
> (instead of only
> the first 8 bytes).
>
> most authentification programms use this feature via pam,
> the same is true for the pam_ldap module.
> It would by nice making slapd compatible to this format.
>
> However on a debian(woody) installation libcrypto (from openssl)
> does not provide this feature, and openldap configures with
> the TLS libraries
> -lssl -lcrypto , and is therefore incombatible to this format.
>
> I circumvent this by patching config.status file
> => linking against -lssl -lcrypt -lcrypto works fine
>
> Packages :
> libssl0.9.6 0.9.6c-2.woody
> libc6 2.2.5-11.5
>
> Compilation:
> tar xzf ../archiv/openldap-stable-20031217.tgz
>
> cd openldap-2.1.25
>
> ./configure --prefix=/usr/local/app/openldap-2.1.25\
> --enable-syslog\
> --without-cyrus-sasl\
> --with-threads\
> --with-tls\
> --enable-slapd \
> --enable-cleartext \
> --enable-crypt \
> --enable-bdb\
> --enable-slurpd \
>
> mv config.status config.status.orig
> sed -e "s/-lcrypto/-lcrypt -lcrypto/" config.status.orig >
> config.status
> ./config.status
>
> make depend
> make
>
> thanx, Martin
>